4

I have a form on the site which allows the user to input URL - node.js app will then use request module to fetch that URL, analyze the response, and print some data back to the user.

I want to make sure rogue users are unable to input intranet addresses, such as 127.0.0.1, localhost, 192.168.0.1, etc. as it seems like a potential security risk. Is it possible to do without querying the IP of the host twice (First with dns.lookup and then with request module)?

Fluffy
  • 27,504
  • 41
  • 151
  • 234
  • Good question (+1) - you might also want to check that the domain contacted in the request is the same one that has just been validated as an attacker could set a very low TTL and then change the lookup once it has passed your validation. – SilverlightFox Aug 05 '14 at 14:14

0 Answers0